CTMA — Cognitive Threat Modeling Assistant

Gemini-powered cognitive forensics for human-centric threat modeling

Comment

CTMA — Cognitive Threat Modeling Assistant

Elevator Pitch: CTMA uses Gemini 3 Pro to analyze cybersecurity breaches through cognitive psychology — treating the human mind as the primary attack surface, not the system.

💡 Inspiration

Every year, over 90% of cybersecurity breaches involve human error. Yet the industry's response is almost always the same: "The user clicked the link."

But why did they click? Were they exhausted after a 10-hour shift? Were they processing their 47th alert of the day? Was the phishing email impersonating their CEO?

Traditional security tools tell us what happened. We wanted to build something that explains why — by treating the human mind as the primary attack surface.

CTMA was inspired by cognitive psychology research, particularly:

  • Kahneman's Dual Process Theory — how stress forces us from analytical (System 2) to reflexive (System 1) thinking
  • Vigilance Decrement — the Mackworth Clock studies showing attention decay over time
  • Automation Bias — why we trust systems even when they're wrong

We asked: What if we could simulate these cognitive states and use AI to perform forensic analysis on the human decision-making process?

🧠 What We Learned

  1. Cognitive science is underutilized in cybersecurity. Most tools focus on network telemetry, but human telemetry — workload, stress, decision latency — is rarely modeled.

  2. Counterfactual reasoning is powerful. By asking "what if alert density was lower?" we can isolate the exact stressor that caused a failure. This moves us from blame to actionable design changes.

  3. Gemini 3 Pro excels at structured reasoning. The 4-stage forensic pipeline (Reconstruction → Inference → Counterfactual → Mitigation) leverages Gemini's ability to maintain context across complex multi-step prompts.

  4. Synthetic telemetry is ethically essential. Real cognitive monitoring is invasive. Our sandbox approach allows forensic analysis of human behavior patterns without surveilling real employees.

🛠️ How We Built It

Architecture

┌─────────────────────────────────────────────────────────────┐
│                    CTMA Frontend (React + TypeScript)       │
├─────────────────────────────────────────────────────────────┤
│  Scenario Selector  │  Telemetry Dashboard  │  Report View  │
└──────────┬──────────┴───────────┬───────────┴───────┬───────┘
           │                      │                   │
           ▼                      ▼                   ▼
┌─────────────────────────────────────────────────────────────┐
│              Cognitive Telemetry Sandbox (CTS)              │
│   • Cognitive State Logs    [C-0, C-1, ...]                 │
│   • Environment Events      [E-0, E-1, ...]                 │
│   • Interaction Traces      [I-0, I-1, ...]                 │
└──────────────────────────┬──────────────────────────────────┘
                           │
                           ▼
┌─────────────────────────────────────────────────────────────┐
│                  Gemini 3 Pro Reasoning Engine              │
│   Stage 1: Cognitive Reconstruction                         │
│   Stage 2: Vulnerability Inference                          │
│   Stage 3: Counterfactual Reasoning                         │
│   Stage 4: Human-Centered Mitigations                       │
└─────────────────────────────────────────────────────────────┘

Tech Stack

Layer Technology
Frontend React, TypeScript, Tailwind CSS, Lucide Icons
AI Engine Gemini 3 Pro via @google/genai SDK
Deployment Google Cloud Run
Telemetry Custom JSON schema simulating cognitive states

The Gemini Integration

We designed a structured reasoning prompt that forces Gemini to output in two parts:

  1. JSON Risk Metrics — machine-readable summary for the dashboard
  2. Forensic Narrative — human-readable 4-stage report

The system instruction constrains output format while allowing Gemini to reason freely within each stage. Temperature is set to 0.1 for consistency.

config: {
  systemInstruction: systemInstruction,
  temperature: 0.1,
  topP: 0.95,
}

🚧 Challenges We Faced

1. Prompt Engineering for Structured Output

Getting Gemini to reliably produce both JSON and narrative in a single response required careful delimiter design (===REPORT_START===) and robust parsing logic.

2. Counterfactual Reasoning Accuracy

Early prompts produced vague counterfactuals. We solved this by explicitly injecting the toggle states into the prompt and instructing Gemini to quantify the delta in risk.

3. Telemetry Cross-Referencing

We wanted clickable [C-0], [E-1], [I-2] tags in the report that jump to source logs. This required bidirectional state management between the report renderer and telemetry dashboard.

4. Balancing Scientific Rigor with Usability

The tool is grounded in peer-reviewed psychology research (Kahneman, Sweller, Parasuraman). But hackathon judges and end-users need intuitive output. We iterated on the UI to make forensic reports feel like narratives, not academic papers.

🚀 What's Next

  • Custom Scenario Builder — let users upload their own telemetry logs
  • Real-Time Integration — connect to SIEM tools for live cognitive risk scoring
  • Multi-Agent Simulation — model team dynamics and social engineering chains
  • Explainable Mitigations — generate design mockups for recommended UI changes

📚 References

  • Kahneman, D. (2011). Thinking, Fast and Slow
  • Sweller, J. (1988). Cognitive Load During Problem Solving
  • Mackworth, N. H. (1948). The Breakdown of Vigilance During Prolonged Visual Search
  • Parasuraman, R., & Manzey, D. H. (2010). Complacency and Bias in Human Use of Automation

CTMA: Because the real vulnerability isn't the firewall — it's the brain behind the keyboard.

Built With

Share this project:

Updates